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What Is Claimed Is: 

1 . A method of scanning a communication received at a firewall for 
target cWent, wherein the communication is directed to one of a set of computer 
nodes connected to the firewall, comprising: 

maimaining on the firewall a scanning module configured to scan 
communications received at the firewall; 

maintaimng a set of criteria for determining when one of said 
communications may be scanned at a computer node coimected to the firewall 
instead of at the firewall; 

partitioning re^onsibility for scanning said communications between said 
firewall and a first computer node connected to the firewall; 

receiving a first communication at the firewall, wherein said first 
communication is intended for said first computer node; 

identifying one or morkattributes of said first conununication; 

determining from said criteria and said attributes whether to scan said first 
communication for target content on the firewall; 

determining from said criterik and said attributes whether said first 
computer node is configured to scan said first communication for said target 
content; and \ 

forwarding said first communication to said first computer node; 

wherein said first computer node receives and scans the commimication 
for said target content. 

2. The method of claim 1, fiirther comWsing: 
receiving a second communication at the firewall, wherein said second 

communication is intended for a second computer node; 
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identifying one or more attributes of said second communication; 

deteirnining from said criteria and said attributes of said second 
communication whether said second computer node is permitted to scan said 
second communication for predetermined content; 

scanning said second conmiunication at the firewall for said predetermined 
content; and 

forwarding said second commimication to said second computer node; 
wherein saiti second computer node receives but does not scan said second 
communication for said predetermined content. 

3. The memod of claim 2, further comprising marking said second 
communication before said forwarding to said second computer node. 



4. The method\of claim 1, wherein said partitioning comprises: 
1 5 receiving scanning capabilities of a first computer node connected to the 

firewall; 

consulting a set of scani{ipg requirements specified by an operator of the 
firewall; and 

specifying a set of criteria td identify when a communication may be 
20 scaimed for target content by said first computer node. 



5. The method of claim 4, wherein said partitioning further comprises 
receiving a set of proposed criteria from said first computer node. 



25 6. The method of claim 1 , wherein said determining comprises: 

identifying whether said firewall is capable of scaiming said first 
conmiunication for target content; 
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determining whether said firewall is configured to share responsibility for 
scanning ^aid communications with one or more of said plurality of computer 
nodes; 

determining whether said first node is capable of scanning said first 
5 communication for said target content; and 

determining whether said communication satisfies one or more criteria in 
said set of criteria 

7. A meNliod of protecting a network of computer nodes from 
10 computer viruses, wh^ein the network of computer nodes is connected to a 
firewall, comprising: 

maintaining a set 6f scanning rules for determining when a communication 
received at a firewall is to be scanned on the firewall and when said 
communication may be scarmed by the destination node of said communication; 
1 5 receiving a fu'st commumcation at the firewall, wherein said first 

communication is intended for a lirst computer node connected to the firewall; 

determining whether a first Virus scanner is enabled on the firewall; 

determining whether a second\virus scaimer is enabled on said first 
computer node; 

20 identifying a first set of attributes^f said first communication; 

determining from said first set of attributes and said rules that said first 
communication is to be scanned on said first^computer node; 

forwarding said first communication to^aid first computer node without 
scanning said first communication for computerViruses, wherein said first 
25 computer node scans said first communication for computer viruses using said 
second virus scanner; 

receiving a second communication at the fireWall; 
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identifying a second set of attributes of said second communication; 

detemining from said second set of attributes and said rules that the 
firewall is responsible for scanning said first communication for computer viruses; 
and 

5 operatingXsaid first virus scanner to scan said second communication for 

computer viruses. 

8. The m^od of claim 7, wherein said set of scanning rules 
comprises: 

10 a first subset of firewall rules for application by the firewall to determine 

how to handle said commuMcation; and 

a second subset of proxy rules for application by a proxy operating on the 
firewall to determine how to handle said communication. 

15 9. The method of claim^7, wherein said set of scanning rules 

comprises: 

a first subset of scanning rules ^r determining when said commimication 
may be scanned for target content by a destination node of said communication 
instead of the firewall; and \ 
20 a second subset of scanning rules for determining when said 

communication is to be scanned on said destination node and not on the firewall. 



10. The method of claim 9, fiirther comprising negotiating between the 
firewall and said first node to define said first subset of said scanning rules. 



25 



1 1 . The method of claim 9, fiirther comprisingxreceiving said second 
subset of said scanning rules from a firewall administrator. 
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12. \ The method of claim 10, wherein said negotiating comprises: 
establishing a secure connection between the firewall and said first node; 
receivmg at the firewall a proposed set of criteria for determining when 

5 said first node shall scan a communication instead of the firewall; and 

determining whether said proposed set of criteria conflicts with said 
second subset of said scanning rules. 

13. The memod of claim 10, wherein said negotiating fiirther 

10 comprises providing said first subset of said scanning rules to said first node. 

14. The method of claim 10, wherein said negotiating fiuther 
comprises sending an updateoyversion of said second virus scaimer to said first 
node. 

15 

15. The method of clainiv 10, wherein said negotiating is performed 
after said second virus scanner is configured on said first node by a user. 

16. The method of claim 10, ^herein said negotiating is performed 
20 after said first node is rebooted. 

17. A computer readable storage medium storing instructions that, 
when executed by a computer, cause the computer to perform a method of 
scanning a communication received at a firewall for target content, wherein the 

25 commimication is directed to one of a set of computer nodes connected to the 
firewall, the method comprising: 

maintaining on the furewall a scanning module ^configured to scan 
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conuniMiications received at the firewall; 

laintaining a set of criteria for determining when one of said 
communiaations may be scanned at a computer node connected to the firewall 
instead of a\ the firewall; 
5 partitibning responsibility for scanning said communications between said 

furewall and a first computer node connected to the firewall; 

receivinAa first commimication at the firewall, wherein said first 
communication isWended for said first computer node; 

identifying one or more attributes of said first communication; 
10 determining ftpm said criteria and said attributes whether to scan said first 

communication for target content on the firewall; 

determining fi-onmaid criteria and said attributes whether said first 
computer node is configure^ to scan said first communication for said target 
content; and 

1 5 forwarding said first co^snmxmication to said first computer node; 

wherein said first compuii^r node receives and scans the communication 
for said target content. 

18. A computer readable storage medium containing a data structure 
20 configured to facilitate a determination ak to whether a communication received at 
a firewall is to be scanned for target content on the firewall or on a destination 
node of the communication, the data structure^ comprising: 

a first indicator configured to indicate whether a first communication 
scanning module is installed on a firewall; 
25 a second indicator configured to indicate whether a second communication 

scanning module is installed on a destination node o^a communication received at 
the firewall; and 
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set of criteria to be applied to said communication to determine if said 
communication is to be scanned for target content at the firewall or at the 
destinatioimode; 

wherein said second indicator and said set of criteria are configured during 
5 a negotiation process between the firewall and the destination node. 

19. An^paratus for scanning a communication received at a firewall 
to detect target conteVt, wherein the conmiunication is selectively scanned at one 
of the firewall and a destination node of the communication, comprising: 

1 0 a firewall configm^d to receive a communication from an external entity 

for a first node connected to\said firewall, said firewall comprising: 

a first proxy mc(dule configured to establish a connection to the 
extemal entity; 

a first scanning module configured to scan said communication for 
1 5 target content; and 

a set of rules configuredNto determine whether said communication 
is to be scanned for said target consent on said firewall or on the first node; 
and 

a first computer node connected to theVirewall and comprising a second 
20 scanning module, wherein said first computer n<3de negotiates with said firewall to 
configure a first subset of said rules to identify when said first computer node 
shall scan said commimication rather than said firewall; 

x 

wherein a measurement of performance of saidwewall is increased as a 
result of said first node scanning one or more communications rather than said 
25 firewall. 

20. The apparatus of claim 19, wherein said first noMe fiirther 
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comiprises a negotiation module to negotiate with said firewall on behalf of 
multiple scanning modules, including said second scanning module. 

U . The apparatus of claim 19, wherein said firewall further comprises 
5 a negotiation module to negotiate with said first node on behalf of multiple 
proxies, including said first proxy module. 



22. Tnfe apparatus of claim 19, wherein said set of rules comprises: 
a first set of criteria to be applied for all nodes connected to said firewall 
10 and all communication!^ received at said firewall to determine if a first 

communication received kt said firewall for a first destination node connected to 
said firewall may be scannea\for target content by said first destination node rather 
than said firewall; and 

a second set of criteria to fee applied for a subset of said all 
15 communications to determine if said^rst communication may be scanned for said 
target content by said second destinatioii node rather than said firewall; 

wherein said second set of criteriaVre applied by said first proxy module 
and said subset of all communications includes communications formatted 
according to a predetermined communication protocol; and 
20 wherein said first set of criteria is applied \rior to said second set of 

criteria. 
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